Google authenticator : Access-Reject
Alan DeKok
aland at deployingradius.com
Tue Apr 24 16:00:12 CEST 2018
> On Apr 24, 2018, at 9:56 AM, <servernemesis at tutanota.com> <servernemesis at tutanota.com> wrote:
>
> (0) Received Access-Request Id 65 from 127.0.0.1:46785 to 127.0.0.1:1812 length 92
> (0) User-Name = "user at mydomain.com"
That's the full user name, *with* domain.
...
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "mydomain.com" for User-Name = "user at mydomain.com"
> (0) suffix: No such realm "mydomain.com"
> (0) [suffix] = noop
And there's no realm, so the User-Name isn't being stripped of the domain name.
> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> (0) pam: ERROR: pam_authenticate failed: Authentication failure
Does PAM (and everything past it) know about "user", or "user at mydomain.com"?
If it doesn't know about the domain, then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf).
Once that's done, FreeRADIUS will pass "user" to PAM, and it should work.
*Reading* the debug output helps. See also http://wiki.freeradius.org/radiusd-X
Alan DeKok.
More information about the Freeradius-Users
mailing list